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CERTIFICATE OF MAILING 
I hereby certify that this paper (along with any p^er referred 
to as being attached or enclosed) is being deposited with the 
United States Postal Service as Express Mail No. 
EL655031318US addressed to: Assistant Commissioner for 
Patents, Box: DAC, Washington, DC, 20231 on October 19, 
2000 , 



Bv: <::xUi'^^ 



Assistant Commissioner for Patents 
Box: Reissue 
Washington, B.C. 20231 



REISSUE APPLICATION PRELIMINARY AMENDMENT 



Sir: 

In conjunction with the filing of a Reissue Application, please amend the specification of 
the above-mentioned U.S. Patent and consider the remarks as hereafter provided: 

In the Specification other than Claims: 

Replace the paragraph beginning at column (hereafter ''col ") 7, line 4 with the^ 
fi)llowing: 

This application claims the benefit of U.S. Provisional Application No. 
60/033,271 for PUBLIC KEY CRYTOGRAPHIC APPARATUS AND METHOD, filed 
Dec. 9, 1996, naming as inventors, Thomas [Colins] Collins , Dale Hopkins, Susan 
Langford and [Michale] Michael Sabin, the [discolsure] disclosure of which is 
incorporated by reference. 



Replace the paragraph beginning at col 1, line 64 with the ftyllowing: 

The RSA scheme capitalizes on the relative ease of creating a composite number 
fi-om the product of two prime numbers whereas the attempt to factor the composite 
number into its constituent primes is difficult. The RSA scheme uses a public key E 
comprising a pair of positive integers n and e, where n is a composite number of the form 
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n=p-q (1) 

where p and q are different prime numbers, and e is a number relatively prime to (p-1) 
and (q-1); that is, e is relatively prime to (p-1) or (q-1) if e has no factors in common with 
either of them. Importantly, the sender has access to n and e, but not to p and q. The 
message M is a number representative of a message to be transmitted wherein 

0<M<nA. (2) 

The sender enciphers M to create ciphertext C by computing the exponential 

[C=M"(mod n)] C^MHrnoAn) . (3) 



Replace the paragraph beginning at col 2, line 19 with the following: 

The recipient of the ciphertext C retrieves the message M using a (private) 
decoding key D, comprising a pair of positive integers d and n, employing the relation 

[M=& (mod n)] C=M Vod n^ (4) 

As used in (4), above, d is a multiplicative inverse of 

e(mod(lcm((p-l),(^-l)))) (5) 

so that 

[e-c^-l(mod(lcm((p-l), (^-1))))] e d^ Umodacmrfp-n, (a-im (6) 

where lcm((p-l), (q-1)) is the least common multiple of numbers p-1 and q-L Most 
commercial implementations of RSA employ a different, although equivalent, 
relationship for obtaining d: 

[d=e^ mod(p-l) (^-1)] d^e^ mod(fa-lV(a-ny ^ (7) 

This altemate relationship simplifies computer processing. 



Replace the paragraph beginning at col 3, line 23 with the following: 
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It is still another object of this invention to provide a system and method for 
implementing an RSA scheme in which the [components] factors of n do not increase in 
length as n increases in length. 

Replace the paragraph beginning at coL 3, line 27 with the following: 

It is still another object to provide a system and method for utilizing multiple 
(more than two), distinct prime number [components] factors to create n. 

Replace the paragraph beginning at col. 5, line 36 with the following: 

The present invention discloses a method and apparatus for increasing the 
computational speed of RSA and related public key schemes by focusing on a neglected 
area of computation inefficiency. Instead of n=p q, as is universal in the prior art, the 
present invention discloses a method and apparatus wherein n is developed from three or 
more distinct random prime numbers; i.e., n=pi p2 . . pk, where k is an integer greater 
than 2 and pi, p2,. . . pk are sufficiently large distinct random primes. Preferably, 
"sufficiently large primes" are prime numbers that are numbers approximately 150 digits 
long or larger. The advantages of the invention over the prior art should be immediately 
apparent to those skilled in this art. If, as in the prior art, p and q are each on the order of, 
say, 150 digits long, then n will be on the order of 300 digits long. However, three primes 
pi, p2 and p3 employed in accordance with the present invention can each be on the order 
of 100 digits long and still result in n being 300 digits long. Finding and verifying 3 
distinct primes, each 100 digits long, requires significantly fewer computational cycles 
than finding and verifying 2 primes each 150 digits long. 

Replace the paragraph beginning at col. 3, line 56 with the following: 

The commercial need for longer and longer primes shows no evidence of slowing; 
already there are projected requirements for n of about 600 digits long to forestall 
incremental improvements in factoring techniques and the ever faster computers available 
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to break ciphertext. The invention, allowing 4 primes each about 150 digits long to obtain 
a 600 digit n, instead of two primes about [350] 300 digits long, resuhs in a marked 
improvement in computer performance. For, not only are primes that are 150 digits in 
size easier to find and verify than ones on the order of [350] 300 digits, but by applying 
techniques the inventors derive fi:om the Chinese Remainder Theorem (CRT), public key 
cryptography calculations for encryption and decryption are completed much faster-even 
if performed serially on a single processor system. However, the inventors* techniques are 
particularly adapted to [be] advantageously apply [enable] RSA public key cryptographic 
operations to parallel computer processing. 

Replace the paragraph beginning at col 4, line 6 with the following: 

The present invention is capable of [using] extending the RSA scheme to perform 
encryption and decryption operation using a large (many digit) n much faster than 
heretofore possible. Other advantages of the invention include its employment for 
decryption without the need to revise the RSA public key encryption transformation 
scheme currently in use on thousands of large and small computers. 

Replace the paragraph beginning at col. 4, line 13 with the following: 

A key assumption of the present invention is that n, composed of 3 or more 
sufficiently large distinct prime numbers, is no easier (or not very much easier) to factor 
than the prior art, two prime number n. The assumption is based on the observation that 
there is no indication in the prior art literature that it is "easy" to factor a product 
consisting of more than two sufficiently large, distinct prime numbers. This assumption 
may be justified given the continued effort (and failure) among experts to find a way 
"easily" to break large [component] composite numbers into their large prime factors. 
This assumption is similar, in the inventors' view, to the assumption underlying the entire 
field of public key cryptography that factoring composite numbers made up of two 
distinct primes is not "easy." That is, the entire field of public key cryptography is based 
not on mathematical proof, but on the assmnption that the empirical evidence of failed 
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sustained efforts to find a way systematically to solve NP problems in polynomial time 
indicates that these problems truly are "difficult." 

Replace the paragraph beginning at col 4, line 32 with the following: 

The invention is preferably implemented in a system that employs parallel 
operations to perform the encryption, decryption operations required by the RSA scheme. 
Thus, there is also disclosed a cryptosystem that includes a central processor unit (CPU) 
coupled to a number of exponentiator elements. The exponentiator elements are special 
purpose arithmetic units designed and structured to be provided message data M, an 
encryption key e, and a mmiber n (where [n=pi *p2 * . . . Pk] n= pypo' . . .-^ ^ k being 
greater than 2) and retum ciphertext C according to the relationship. 



Replace the paragraph beginning at col. 4, line 45 with the following: 

Altematively, the exponentiator elements may be provided the ciphertext C, a 
decryption (private) key d and n to retum M according to the relationship, 

[M=C^ (mod(n))] M^cUmod n^ 

Replace the paragraph beginning at col 4, line 50 with the following: 

According to this decryption aspect of the invention, the CPU receives a task, 
such as the requirement to decrypt [cyphertext] ciphertext data C. The CPU will also be 
provided, or have available, a [public] private key [e] d and n, and the factors of n (pi, p2, 
... Pit). The CPU breaks the [encryption] decryption task down into a number of sub- 
tasks, and delivers the sub-tasks to the exponentiator elements. [When the] The results of 
the sub-tasks are retumed by the exponentiator elements to the CPU which [will], using a 
form of the CRT, combines the results to obtain the message data M. An encryption task 
may be performed essentially in the same manner by the CPU and its use of the 



[C=M" (mod(n))] C^M' (mod n\ 
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exponentiator elements. However, usually the factors of n are not available to the sender 
(encryptor), only the public key, e and n, so that no sub-tasks are created. 

Before the paragraph beginning at col 5, line 52, insert the following paragraph: 

Alternatively, a message data M can be encoded vyith the private key to a signed 
message data using a relationship of the form 

M,. =M^(mod«), 

The message data M can be reproduce from the signed message data Ms by decoding the 
signed data v^ith the public key, using a relationship of the form 

M = M/(mod«), 



Replace the paragraph beginning at col J, line 30 with the following: 

According to the present invention, the public key portion e is picked. Then, three 
or more random large, distinct prime numbers, pi, p2, . . . , Pk are developed and checked 
to ensure that each {pizl} is relatively prime to e. Preferably, the prime numbers are of 
equal length. Then, the product [n=pi, P2, . . . , Pk] n=pvpi^ . . .pir is computed. 

Replace the paragraph beginning at col 5, line 36 with the following: 

Finally, the decryption [key] exponent , d, is established by the relationship: 



[d=e' mod ((pi -1) (p2 -1) . . . (pk -1))] d^e' mod ffa i -IVfa^ -IV ■ ■ .fa. - 



l)\ or equivalently 



e' mod (Icmffa i -1\ (vo -W , , Aw -H^^ 



Replace the paragraph beginning at col 5, line 41 with the following: 
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The message data, M is encrypted to ciphertext C using the relationship of (3), 



Replace the paragraph beginning at coL 5, line 46 with the following: 

To decrypt the ciphertext, C, the relationship of [(3)] £4}, above, is used: 
[M=C^ mod ri\ M^cUmod n) 
where n and d are those values identified above. 

Replace the paragraph beginning at col. 5, line 52 with the following: 

Using the present invention involving three primes to develop the product n, RSA 
encryption and decryption time can be substantially less than an RSA scheme using two 
primes by dividing the encryption or decryption task into sub-tasks, one sub-task for each 
distinct prime. (However, breaking the encryption or decryption into subtasks requires 
knowledge of the factors of n. This knowledge is not usually available to anyone except 
the owner of the key, so the encryption process can be accelerated only in special cases, 
such as encryption for local storage. A system encrypting data for another user performs 
the encryption process according to (3), independent of the number of factors of n. 
Decryption, on the other hand, is performed by the owner of a key, so the factors of n are 
generally known and can be used to accelerate the process.) For example, assume that 
three distinct primes, pi, p2, and p3, are used to develop the product n. Thus, decryption of 
the ciphertext, C, using the relationship 

[M=C^(mod n)] AfeC^(mod n^ 

is used to develop the decryption sub-tasks: 



above, i.e.. 



[C=M' mod n.] C^M' (mod n) 



[Ml =€1"^' mod pi] ML=C^!Jmod£i} 
[M2 =C2^' mod/?2] M2=C^lIrnod£2} 
[M3 ^C/' mod P3] Mr^ ^Cr^Umodv^} 
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where 

[Ci =Cmod p\ :1 C (mod p\ Y 
[C2 =Cmod p2\\ Ci= C (mod p?^ : 
[C3 =Cmod /?3 ;] C (mod pO : 
[t/i =tftnod (pi -1)] (mod (pi -DY 
[dz =cftnod (p2 -1)] di ^dimo&ipy'Vi) : and 
[J3 =<Anod (P3 -1)] d i = d(mo&(pi'\)\ 

Replace the paragraph beginning at col 6, line 24 with the following: 

The results of each sub-task, Mi, M2, and M3 can be combined to produce the 
plaintext, M, by a number of techniques. However, it is found that they can most 
expeditiously be combined by a form of the Chinese Remainder Theorem (CRT) using, 
preferably, a recursive scheme. Generally, the plaintext M is obtained from the 
combination of the individual sub-tasks by the following relationship: 

Y: ^ 7ui +((M (wC^ (mod (mod Pi)V (mod n^ [Yi =^,-.1 -Yi. 
1) {wi^ mod /?/)mod pH-Wt mod «] 

where [i >2] 2< i <k where k is the number of prime factors of n, and 

M=YkYx=Cx,andwrY\ Pj 

Encryption is performed in much the same manner as that used to obtain the plaintext M, 
provided (as noted above) the factors of n are available. Thus, the relationship 

[C=M^ (mod n)] C=M' (mod n\ 

can be broken down into the three sub-tasks, 

[Ci =Mi'' mod Pi] C, = M'' (mod p,). 
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[Ci =M3'' mod C3 = ^3'^ (mod /^j), 

where 

[M\ =M(mod p\)] Mi = M (mod pi \ 
[M2 =M(mod P2)] Mi = M (mod pj) . 
[M3 =M(mod P3)] Mi = M (mod pi) . 
[e\ =emod (pi -1)] gj ^ = e mod (d^'W 
[62 =emod (P2 -1)] ei = e mod (vi -1) , and 
[^3 =emod (p3 -1)] e i^emod(pi'\). 

Replace the paragraph beginning at col 6, line 65 with the following: 

In generalized form, the ciphertext C (i.e., [decrypted] encrypted message M) can 
be obtained by [the same summation] a recursive scheme as identified above to obtain the 
ciphertext C firom its contiguous constituent sub-tasks Q. 



Replace the paragraph beginning at col. 7, line I with the following: 

Preferably, the recursive CRT method described above is used to obtain either the 
ciphertext[,] C[,] or the deciphered plaintext (message) M due to its speed. However, 
there may be [occasions] implementations when it is beneficial to use a non-recursive 
technique in which case the following relationships are used: 

k k 

M= Y M\ (wC^ (mod pO)- w\ (mod n) [M = ^ M (wr^ mod pi) Wj mod 

1=1 /=! 

«] 

where 
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[Wi = Yl Pj] y^i^Yl 
k is the number (3 or more) of distinct primes chosen to develop the product n. 



Replace the paragraph beginning at col. 7, line 1 7 with the following: 

Thus, for example above (k=3), M is constructed from the returned sub-task 
values Ml, M2, M3 by the relationship 

[M=M\ (w\'^ mod p\) w\ mod/w+Ma (wi'^ mod P2) W2 mod n + 

M3 (ws'^ mod p^) W3 mod n] M= M ijw i^ (mod pO)- w^ (mod n) 

+ Ml (wi^ (mod P2))' wj (mod n) 

+ Ml (wi^ (mod pii)' wi (mod y;) 

where 

^\ =P2 P3, >V2 =Pl P3, and >V3 =/?l P2. 



Replace the paragraph beginning at col 7, line 52 with the following: 

The I/O bus 30 communicatively connects the CPU to a number of exponentiator 
elements [32a, 32b, and 32r1 32a. 32b and 32c . Shown here are three exponentiator 
elements, although as illustrated by the "other" exponentiators [32n]32n, additional 
exponentiator elements can be added. Each exponentiator element is a state machine 
controlled arithmetic circuit structured specifically to implement the relationship 
described above. Thus, for example, the exponentiator 32a would be provided the values 
Ml, ei, and pi[, n] to develop C|. Similarly, the exponentiator circuits 32b and 32c 
develop C2 and C3 from corresponding subtask values M2, e2, [P2]g2, M3, ea, and [Palga. 



Replace the paragraph beginning at col 8, line 1 with the following: 
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In order to ensure a secure environment, it is preferable that the cryptosystem 10 
meet the Federal Information [Protection System] Processing Standard (FIPS) 140-1 level 
3. Accordingly, the elements that make up the CPU 14 would be implemented in a design 
that v^U be secure from external probing of the circuit. However, information 
commimicated on the I/O bus 30 between the CPU 14 and the exponentiator circuits 32 
(and external memory 34— if present) is exposed. Consequently, to maintain the security 
of that information, it is first encrypted by the DES imit 24 before it is placed on the I/O 
bus 30 by the CPU 14. The exponentiator circuits 32, as well as the external memory 34, 
will also include similar DES units to decrypt information received from the CPU, and 
later to encrypt information returned to the CPU 14. 

Replace the paragraph beginning at col 8, line 52 with the following: 

In similar fashion, information is conveyed to or retrieved from the exponentiators 
32 by the processor 20 by write or read operations at addresses within the address range 
44. Consequently, writes to the exponentiators 32 will use the DES unit 24 to encrypt the 
information. When that (encrypted) information is received by the exponentiators 32, it is 
decrypted by on-board DES units (of each exponentiator 32). The result[s] of the task 
performed by the exponentiator 32 is then encrypted by the exponentiators on-board 
DES imit, retrieved by the processor 20 in encrypted form and then decrypted by the DES 
unit 24. 

Replace the paragraph beginning at col P, line 24 with the following: 

Assume, for the purpose of the remainder of this discussion, that the 
encryption/decryption tasks performed by the cryptosystem 10, using the present 
invention, employs only three distinct primes, pi, P2, Pa- The processor 20 wdll develop 
the sub tasks identified above, using M, e, pi p2, P3 Thus, for example, if the 
exponentiator 32a were assigned the sub-task of developing Ci, the processor would 
develop the values Mi[,] and ei[, and (pi -1)] and deliver [units] (write) these values, with 
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[n]pi, to the exponentiator 32a. Similar values will be developed by the processor 20 for 
the sub-tasks that will be delivered to the exponentiators 32b and 32c. 

Replace the paragraph beginning at col. 10, line 15 with the following: 

Alternatively, the [post]host-system 50 may desire to deliver, via the 
communication medium 60, an encrypted commimication to one of the stations 64. If the 
commimication is to be encrypted by the DES scheme, with the DES key encrypted by 
the RSA scheme, the host system would encrypt the communication, forward the DES 
key to one of the cryptosystems 10 for encryption via the RSA scheme. When the 
encrypted DES key is received back from the cryptosystem 10, the host system can then 
deliver to one or more of the stations 64 the encrypted message. 

Replace the paragraph beginning at col 10, line 25 with the following: 

Of course, the host system 50 and the stations 64 will be using the RSA scheme of 
public key encryption/decryption. Encrypted communications from the stations 64 to the 
host system 50 require that the stations 64 have access to the public key [E (E, N)] E=(e, 
n} while the host system maintains the private key [D (D, N,] D=(d, n) and the constituent 
primes, pi, p2, . . . , pk). Conversely, for secure conmiunication from the host system 50 to 
one or more of the stations 64, the host system would retain a public key E' for each 
station 64, while the stations retain the corresponding private keys [E'] D^. 

Replace the paragraph beginning at col 10, line 35 with the following: 

Other techniques for encrypting the commmiication could used. For example, the 
communication could be entirely encrypted by the RSA scheme. If, however, the 
message to be communicated[ion] is represented bv a numerical value greater than n-1, it 
will need to be broken up into blocks size M where 



[0<M<N-1] 0<M<nA . 
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